3dcbb454901ec7abac12a4ccd70ae4737003269f1fb2d93a7fcb115f62f4ec95

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 16:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d6950de30b17788894ae91f0fc276a5a.exe
Size

506KB
MD5

d6950de30b17788894ae91f0fc276a5a
SHA1

45e9524c62f38e6538b1504e0542ac361a07e818
SHA256

3dcbb454901ec7abac12a4ccd70ae4737003269f1fb2d93a7fcb115f62f4ec95
SHA512

a1a7f2cb73cecef6c5488fff571bcc3747ef7b09399778ef382d51c6ad0510618d99dd97d71fddbbc4290d30feadcddc26c893e68a379153af90624442cca137
SSDEEP

12288:ulSAk6QnICkx68EMzQVo2G+q2Rxp2mFcA0u9lyqZ6zTBLmVP6Dcr3eafsmZvnHTE:qSA1QbkxMMzQVo2G+q2R+he9EqZ6zTBZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1756	d6950de30b17788894ae91f0fc276a5a.exe

Executes dropped EXE 1 IoCs

pid	Process
1756	d6950de30b17788894ae91f0fc276a5a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	pastebin.com
26	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1756	d6950de30b17788894ae91f0fc276a5a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1756	d6950de30b17788894ae91f0fc276a5a.exe
1756	d6950de30b17788894ae91f0fc276a5a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3308	d6950de30b17788894ae91f0fc276a5a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3308	d6950de30b17788894ae91f0fc276a5a.exe
1756	d6950de30b17788894ae91f0fc276a5a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 1756	3308	d6950de30b17788894ae91f0fc276a5a.exe	88
PID 3308 wrote to memory of 1756	3308	d6950de30b17788894ae91f0fc276a5a.exe	88
PID 3308 wrote to memory of 1756	3308	d6950de30b17788894ae91f0fc276a5a.exe	88
PID 1756 wrote to memory of 2908	1756	d6950de30b17788894ae91f0fc276a5a.exe	93
PID 1756 wrote to memory of 2908	1756	d6950de30b17788894ae91f0fc276a5a.exe	93
PID 1756 wrote to memory of 2908	1756	d6950de30b17788894ae91f0fc276a5a.exe	93

C:\Users\Admin\AppData\Local\Temp\d6950de30b17788894ae91f0fc276a5a.exe
"C:\Users\Admin\AppData\Local\Temp\d6950de30b17788894ae91f0fc276a5a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\Temp\d6950de30b17788894ae91f0fc276a5a.exe
  C:\Users\Admin\AppData\Local\Temp\d6950de30b17788894ae91f0fc276a5a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\d6950de30b17788894ae91f0fc276a5a.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d6950de30b17788894ae91f0fc276a5a.exe

Filesize
506KB

MD5
961b522f2241f5d97e0575f90d0dff11

SHA1
30282a96570d5ceed02d99126d6d8b682feda7b7

SHA256
c28776a9658d1cd9ae5ad8db22b499bf61f086f1f6e640190eb7c2f3d3663baa

SHA512
d4d0667964e5952104b3075c1efe4c6c9501ca17bf531bfc52af67229db651909ad1612b659b312291a586f9067fdab9d650950c095bc49c4306d2537c9cf5c7

Download Submit
memory/1756-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1756-17-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/1756-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1756-21-0x0000000004F90000-0x000000000500E000-memory.dmp

Filesize
504KB

Download
memory/1756-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3308-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3308-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/3308-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3308-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download